WingNews logo WingNews
top | item 46921538

(no title)

mldbk | 24 days ago

MITM usually will not work in case of pkg managers, since packages are signed. But still, attacker can learn what kind of software is installed on target. So I believe that HTTPS for privacy in case of linux package managers are fair enough.

discuss

order

Avamander|23 days ago

The attacker can meddle with every step taken before the signature verification. The way you handle the HTTP responses, the way you handle the signature format, all that. Captive portals have already caused corruption issues for Apt, signed packages be damned.

Saying it's "fair" is like saying engine maintenance does not matter because the tires are inflated. There are more components to it.

Ensuring the correctness of your entire stack against an active MITM is significantly more difficult than ensuring the correctness of just a TLS stack against an active MITM.